New Update Microsoft Authenticator - Advanced Security Features

[silversurfer]

MFA has shown in the past that its is exploitable. In August of 2022, Microsoft email users, even those with MFA on, were falling to a new phishing attack. Only a couple of weeks later, there were reports of hackers bypassing MFA and brute forcing passwords. Then there's also MFA fatigue or MFA spamming or push bombing attacks, which bombards the user with MFA push notifications in hopes that a user accepts the request and gives access to a threat actor by mistake.

To combat such attacks, Microsoft introduced "number matching" as an additional step in its Microsoft Authenticator app to enhance the security provided by Multi-Factor Authentication (MFA) last year. And from today, May 8, 2023, the Redmond giant is enforcing number matching for all users. Hence, users will need to enter the number provided into their Authenticator app when signing in.

The support article notes:

Number matching is a key security upgrade to traditional second factor notifications in Microsoft Authenticator. We will remove the admin controls and enforce the number match experience tenant-wide for all users of Microsoft Authenticator push notifications starting May 8, 2023.
We highly recommend enabling number matching in the near term for improved sign-in security. Relevant services will begin deploying these changes after May 8, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance.

You can find more details about Number Matching on Microsoft's official website.

Microsoft begins pushing number matching MFA on Authenticator starting today

Introduced earlier this year in February, Microsoft will now begin enforcing number matching in Authenticator starting today. It adds an extra layer of security for multi-factor authentication (MFA).

www.neowin.net

 

[simmerskool]

Microsoft begins pushing number matching MFA on Authenticator starting today

Introduced earlier this year in February, Microsoft will now begin enforcing number matching in Authenticator starting today. It adds an extra layer of security for multi-factor authentication (MFA).

www.neowin.net

skimmed the article & MS official site, not sure I fully understand what it is saying, somewhat seems like MS is forcing you to use their MS authenticator app, rather than, eg, Authy, or...?? or perhaps I do not understand...

 

[silversurfer]

skimmed the article & MS official site, not sure I fully understand what it is saying, somewhat seems like MS is forcing you to use their MS authenticator app, rather than, eg, Authy, or...?? or perhaps I do not understand...

No forcing to use MS authenticator

Rather it’s recommended as security improvement for users of Microsoft Authenticator, they can decide to enable:

"number matching" as an additional step in its Microsoft Authenticator app to enhance the security provided by Multi-Factor Authentication (MFA)

Number matching​

Number matching can be targeted to only a single group, which can be dynamic or nested. On-premises synchronized security groups and cloud-only security groups are supported for the Authentication methods policy.

Number matching is available for the following scenarios. When enabled, all scenarios support number matching.

• Multifactor authentication
• Self-service password reset
• Combined SSPR and MFA registration during Authenticator app set up
• AD FS adapter
• NPS extension

How number matching works in multifactor authentication push notifications for Microsoft Authenticator - Microsoft Entra ID

Learn how to use number matching in MFA notifications

learn.microsoft.com

 

[simmerskool]

No forcing to use MS authenticator

Rather it’s recommended as security improvement for users of Microsoft Authenticator, they can decide to enable:

How number matching works in multifactor authentication push notifications for Microsoft Authenticator - Microsoft Entra ID

Learn how to use number matching in MFA notifications

learn.microsoft.com

ok, so if you're using MS Authenticator it's an option. Does not preclude other 2fa apps. thanks.

 

[Ink]

Google Prompt already does this. Good to see Microsoft implementing these additional changes.

 

[silversurfer]

Microsoft Authenticator is now blocking suspicious MFA phone notifications by default​

In May, Microsoft Authenticator added a new feature that required all users to match the number sent by Microsoft before they could respond to a new MFA notification on their phone with the Authenticator app. This was made to help defeat the spamming of these kinds of notifications by hackers.

However, in a new blog post, Microsoft has announced it has extended this kind of protection for the Authenticator app. It states:

Following the deployment of this feature, we now suppress Authenticator notifications when a request displays potential risks, such as when it originates from an unfamiliar location or is exhibiting other anomalies. This approach significantly reduces user inconvenience by eliminating irrelevant authentication prompts.

Microsoft Authenticator is now blocking suspicious MFA phone notifications by default

Microsoft has announced it has made some behind the scenes updates to its Authenticator app that will now block notifications of phone numbers that it believes might have been sent by hackers

www.neowin.net